Financial institutions are expected to provide some level of training to users. Between making sure the right topics are covered and that everyone completes it, can be a tall order for those who are responsible for putting together training for their company. So we decided to share some topics that we highly recommend be included in employee cybersecurity training programs.
- Think Before You Click: Not clicking on links in suspicious email messages is a common training topic in most institutions, with many using KnowBe4 or similar products to regularly reinforce the message. But a link in an email simply opens up a web browser, and the Internet is made up of links that are just as dangerous as those in email messages. Make sure your training addresses web links also! (We've got a great article that covers this topic more in depth called, The 5 Laws of Links)
- Browse Smart: Employees need to be trained that work PCs are for work and that they need to minimize browsing to websites that are not business-related. Most IT professionals can tell the story of an employee whose PC was infected by an ad on a major news site. While web filters do a pretty good job of weeding out malicious sites, no web filter is 100% effective.
- Password Safety: A long, complex password is required today to mitigate the risk of someone being able to guess it, but this increases the risk that the employee will not memorize the password. Be sure to stress that passwords must not be recorded in spreadsheets, on paper scraps, etc., as these are common places attackers look when they first gain access to a system. We also recommend you teach employees to devise passphrases made up of random words that include mixed case letters, numbers, and special characters. Words are easier to memorize than random characters, so the passphrases can be longer and will minimize the need to write the passphrase down.
- Don’t Reuse Passwords: Stress to employees that they should not reuse their passwords on other systems or websites. Attackers regularly attempt to use credentials that they have acquired in a breach on multiple sites, so an employee who also used their network password on their credit card site may find that an attacker who breached their credit card company has accessed their work account also.
- Avoid Public Wi-Fi: Teach employees that most public Wi-Fi sites are not secure and should not be used by their laptop or other equipment that has access to company data. Attackers live on these wireless networks and are able to probe the system without having to get around a firewall first. Employees should only use private Wi-Fi sites that are under their control or are known to be secure.
Now that you have some great ideas don't forget to track who has and has not completed training. Auditors and examiners will want to see that this is being done in your institution. If this seems like an overwhelming task, you can look into third parties to administer employee training for you. We recommend that its done continuously throughout the year as opposed to one and done. If you'd like help with your employee user training we can administer it for you or make suggestions of other third parties who do.